With security awareness, money talks

Evan Schuman |
May 11, 2017

The precautions we urge on employees interfere with their jobs.

According to a recent report, academics have been analyzing brainwaves of computer users to improve how they are alerted to cybersecurity dangers. I’m sorry, but getting users to pay stricter attention to security isn’t brain surgery: It’s all about money and job security. Come to think of it, job security itself is all about money, which makes money the only carrot and the only stick that IT needs.

“Especially when they are engaged in another activity”? As opposed to when exactly? The problem this approach is addressing is not the actual problem. Changing background colors and switching formats would maybe, possibly help if the problem was that users weren’t noticing these warnings.

In reality, the problem is that users don’t care about these warnings. More precisely, users don’t care about security nearly as much as they do that other activity, which is typically work.

This is also the problem with much of security training. It teaches and preaches and drills and quizzes, all with the goal of making users familiar with proper security procedures. But it does little to convince them to prioritize those procedures over the work project that is about to hit its deadline.

Consider, for example, Employee Emma. Emma knows all about phishing schemes and how attachments can deliver viruses and Trojans. But when Emma is rushing to finish a project by deadline and sees an email from her boss saying, “Urgent. Project change,” and it includes what appears to be a Word attachment, what is she likely to do?

Proper procedure for any attachment that wasn’t explicitly expected is for Emma to phone, text or email her boss directly (but not by replying to the suspect message) to see if her boss did indeed send her something. Alternatively, she can click on the message and see what it is. Does she risk her deadline by ignoring what appears to be project-related urgent message from her boss?

Undercutting the incentives for employees to do the right thing for security purposes is the fact that the vast majority of email attachments from a boss will in fact be a legitimate email attachment from the boss. Even with rampant phishing attacks happening today, most attachments are legitimate, in the same way that most people ringing your home doorbell are not homicidal maniacs.